INFORMATION TEXT ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

As Estetik World Sağlık Hizmetleri A.Ş. (“Esteworld”), in our capacity as data controller, we attach great importance to the protection of your personal data under Law No. 6698 on the Protection of Personal Data (“Law”) and related secondary legislation, as well as the General Data Protection Regulation (GDPR). This Information Text on the Processing and Protection of Personal Data (“Text”) has been prepared to inform you about the sources from which we obtain your personal data, our legal grounds for obtaining and processing personal data, the purposes for which we process your personal data, whether we transfer personal data and to whom and for what purposes, and your legal rights.

Esteworld processes your personal data in accordance with the law, prevents the unlawful processing of your personal data and unauthorized access to such data, and has taken all necessary technical and administrative measures to ensure the appropriate level of security for the preservation of personal data.

INDIVIDUALS WHOSE DATA WE PROCESS

Esteworld, in its capacity as data controller, processes personal data limited to the following groups of individuals:

• Our employees
• Our job applicants (including reference persons declared by job applicants)
• Our interns and on-the-job training participants
• Our patients
• Individuals contacted or interviewed for diagnosis, treatment, or similar services
• Patient relatives and companions
• Parties to any commercial activity or authorized persons/employees of companies with whom we cooperate or will cooperate for commercial activities (e.g., supply, advertising, support, marketing, accommodation, transportation, reference sources)
• Shareholders or individuals with whom shareholder discussions are held
• Our legal advisors, lawyers, and consultants or authorized persons/employees of consultancy firms
• Visitors
• Legal representatives, parents, guardians of all data subjects
• Persons who are parties to legal proceedings and their legal representatives
• Third parties with whom we have communicated, even if they have no commercial or legal connection with our company.

PERSONAL DATA WE PROCESS

Esteworld, in its capacity as data controller, processes the following personal health data, general and special categories of personal data, in accordance with the principles of “lawfulness,” “necessity,” “purposefulness,” and “proportionality.”

• Identity Data: All data related to identity such as name-surname, nationality, Turkish ID number, passport number and information or temporary Turkish ID number if not a Turkish citizen, place and date of birth, marital status, gender information.
• Contact Data: All data related to communication such as residential address, correspondence address, mobile phone number, e-mail address.
• Visual and Audio Data: Image and sound recordings obtained by the company’s closed-circuit security cameras, voice call recordings kept if you communicate with our call center, and personal data recorded as photos or videos with specific written consent and permission (anamnesis) for promotional, research, medical, or aesthetic/cosmetic procedure confirmation/evidence, or to convince other potential patients for medical procedures, are included in this scope.
• Personnel Data: Data taken in accordance with law or employment contracts regarding personnel matters such as employees’ start date, salary, monthly working days.
• Education Data: Data regarding the educational status of employees, job applicants, interns, or on-the-job training participants in the company, or other relevant individuals.
• Work and Profession Data: All data related to work or profession for employees, job applicants, interns, or on-the-job training participants in the company, or other relevant individuals (including professional experience, diplomas, course data).
• Comment and Complaint Data: Comment and complaint data submitted to our Company with consent and permission via the website or other channels for the purpose of evaluating our services.
• Location Data: Address or location data transmitted by individuals through any means and with their own consent.
• Transaction Security Data (IP Data and Cookies): IP address, browser information, website login/logout and password information (Mac ID, IP address information, website login/logout and password information) are included in this scope.
• Legal Data: All data regarding individuals being plaintiffs or defendants and enforcement data. Data related to employees in the company and any person who has a lawsuit or enforcement proceeding with the company.
• Financial Data: Data such as individuals’ bank account numbers and IBAN numbers. This data is requested and processed for employees in the company and patients receiving services from the company.
• Health Data: All health data obtained during the execution of medical diagnosis, treatment, and care services, such as laboratory and imaging results, medical test results, blood type, examination data, prescription information, which must be legally followed in medical files and processed with the individual’s consent. Additionally, health reports and other medical documents in the employee’s personnel file are also included in this scope.
• Vehicle License Plate Data: Vehicle license plate data is included in this scope if the company’s parking lot or special valet service is utilized.
• Customer Transaction Data: Call center records, invoices, promissory notes, checks, teller receipts, order information, request information, etc., are included in this scope.
• Clothing Data: Body data, inventory, uniform, material and shoe size, etc., are included in this scope.
• Biometric Data: Palm information, fingerprints, retinal scans, facial recognition, etc., are included in this scope.
• Risk Management Data: Data processed for the management of commercial, technical, and administrative risks are included in this scope.
• Physical Space Security: Employee and visitor entry/exit records, security camera recordings are included in this scope.
• Association, Foundation, and Union Data: Association and foundation data may be required for social responsibility and workplace organizations, while union data may be necessary during union dues deductions.

III. PROCESSING OF PERSONAL DATA

A. OBTAINING PERSONAL DATA

1. Channels and Methods of Personal Data Collection

Your personal data is obtained through channels such as:

1. As a result of communication with our call center.
2. As a result of communication through the live support application on our website.
3. As a result of communication with Esteworld doctors or relevant personnel via phone, WhatsApp Application, or email.
4. As a result of communication established via phones used by Esteworld marketing and promotion personnel or via SMS or WhatsApp etc. applications.
5. If you apply to Esteworld, as a result of your communication with doctors or relevant personnel via phone, SMS, or WhatsApp etc. applications.
6. If you apply to Esteworld, as a result of your face-to-face meetings with doctors or relevant personnel.
7. Personal data being present in contracts and other commercial activity documents, and communication platforms of individuals and company officials or employees with whom a business relationship is established due to commercial activity.
8. As a result of personal data being present in contracts and other commercial activity documents, and communication platforms of our Legal Advisors, Lawyers, and Consultants or authorized persons/employees of consultancy firms.
9. As a result of applications made through “contact us” or “get information” panels via social media for promotion and advertising.
10. As a result of requesting personal data and mobile phone numbers for encryption, as required by legislation, to connect to the guest wireless network (Wi-Fi) within the scope of wireless Internet service.
11. Data obtained by recording the MAC ID (Device ID Information) from entries made to the website.
12. In cases where we communicate with third parties or they communicate with us, even if they have no commercial or legal connection with Esteworld, as a result of personal data being present in communication platforms.
13. Similarly, through other legal data acquisition methods.

B. PURPOSES AND LEGAL REASONS FOR PROCESSING PERSONAL DATA

1. Purposes of Personal Data Collection and Processing

Your personal data and special categories of personal data mentioned above will be processed for the following purposes:

1. Fulfilling legal obligations and conducting all types of work within the scope of the activity in a legal framework.
2. Fulfilling contractual provisions.
3. Providing health services (conducting medical or medical/cosmetic diagnosis, examination, treatment, and all types of care services).
4. Commercial activity and business requirements.
5. Sectoral (health) requirements;
   1. Protecting public health, whether patient or not, conducting preventive medicine, medical diagnosis, treatment, and care services.
   2. Sharing information requested by the Ministry of Health and all other relevant official institutions and organizations as required by health legislation.
   3. Financing your health services, covering examination, diagnosis, and treatment expenses by customer services, financial affairs, and marketing departments.
   4. Informing patients about appointments via customer representatives, call centers, and other channels.
   5. Identity verification by patient services and other operational units.
   6. Measuring, increasing, and researching patient satisfaction by hospital management, patient rights, and patient experience departments.
   7. Billing by patient services, financial affairs, and marketing departments.
   8. Responding to all kinds of questions and complaints regarding our health services by hospital management, patient rights, call center, and patient relations departments.
6. Technical requirements;
   1. Planning and managing internal institutional processes by the call center, patient relations, hospital management.
   2. Research and analyses conducted by service delivery quality, patient experience, and information technology departments to improve the quality of health services.
   3. Providing training to employees by human resources management and quality departments.
   4. Monitoring and preventing misuse or unauthorized transactions by internal audit and information technology departments.
   5. Performing risk management and quality improvement activities by quality and information technology departments.
   6. Taking all necessary technical and administrative measures within the scope of data security by hospital management and information technology departments.
   7. Enabling necessary communications by authorized personnel for the provision of transportation, accommodation, and hospitality services within the scope of health tourism.
   8. Participation in campaigns and providing campaign information by patient relations, marketing, and call center departments, designing and conveying special content, tangible and intangible benefits on web and other mobile channels, and social media to recipients.
   9. Enabling educational institutions with which the institution cooperates to carry out their training and activities.

2. Legal Reasons for Personal Data Collection and Processing

Your personal data and special categories of personal data mentioned above will be processed based on legal reasons specified in:

• Law No. 3359 on Fundamental Health Services,
• Decree-Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Institutions,
• Law No. 6698 on the Protection of Personal Data,
• Regulation on Private Hospitals,
• Regulation on the Processing of Personal Health Data and Protection of Privacy,
• Identity Notification Law No. 1774,
• Labor Law No. 4857,
• Social Insurance and General Health Insurance Law No. 5510.

As stated in Article 6, Paragraph 3 of Law No. 6698 on the Protection of Personal Data, personal data related to health and sexual life can only be processed without seeking the explicit consent of the data subject by persons or authorized institutions and organizations under the obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.

C. TRANSFER OF PERSONAL DATA

Your personal data may be shared within the framework of the provisions of and for the purposes explained above, in accordance with:

• Law No. 3359 on Fundamental Health Services,
• Decree-Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Institutions,
• Law No. 6698 on the Protection of Personal Data and all relevant secondary legislation,
• Regulation on Private Hospitals,
• Regulation on the Processing of Personal Health Data and Protection of Privacy,
• Identity Notification Law No. 1774,
• Labor Law No. 4857,
• Social Insurance and General Health Insurance Law No. 5510,

with:

• Ministry of Health, its affiliated units, and family health centers.
• Private insurance companies (health, pension, life insurance, and similar).
• Social Security Institution.
• Ministry of Family, Labor and Social Services.
• General Directorate of Security and other law enforcement agencies.
• General Directorate of Population and Citizenship Affairs.
• Other authorized official institutions and organizations.
• Turkish Pharmacists’ Association.
• Judicial authorities, enforcement offices, mediators.
• Laboratories, medical centers, ambulance, medical device and health service providers located domestically or abroad with whom we cooperate for medical diagnosis and treatment.
• The healthcare institution to which the patient is referred or to which the patient applies.
• Legal representatives, parents, and guardians authorized in writing.
• All real or legal third persons providing consultancy services, including lawyers, tax consultants, and auditors with whom we work under contract.
• Regulatory and supervisory institutions and official authorities.
• Companies within the group of companies to which our Hospital is affiliated.
• Banks where our company or our patients or employees have accounts in accordance with any contract with our company.
• Individual retirement companies with which we work within the scope of compulsory or voluntary BES (Individual Retirement System).
• Our suppliers, support service providers, archiving service providers, and business partners from whom we benefit or with whom we cooperate (for more detailed information, you can obtain information by applying in writing to our hospital).
• Our business partners and business contacts.
• Our shareholders and real or legal persons with whom shareholder discussions are held.
• Outsource service providers.
• Cargo or courier companies.
• Air, land, or sea passenger transport companies.

IV. OUR MEASURES AND COMMITMENTS REGARDING THE PROTECTION OF PERSONAL DATA

Esteworld, in its capacity as data controller, protects your personal and special categories of personal data mentioned above within its own structure, in physical and electronic environments, with great sensitivity and in full compliance with the provisions of the legislation, by taking all administrative and technical measures.

Esteworld, as registered with VERBİS and included in its Personal Data Inventory, has taken all administrative and technical measures regarding the protection of your personal data.

Esteworld undertakes to protect all personal data. Technical and administrative measures to prevent unlawful processing and access to personal data and to ensure the preservation of personal data are carried out using various methods and security technologies.

Esteworld will not disclose personal data it obtains to others in violation of the provisions of Law No. 6698 on the Protection of Personal Data and will not use it outside the purpose of processing.

Esteworld has prepared and ensured the signing of all warning or consent statements, and commitments, and has implemented necessary multi-directional audit activities for cases where it is mandatory and necessary to share (transfer) personal data with external service providers and suppliers, consultants, or lawyers.

V. PROCESSING OF PERSONAL DATA COLLECTED VIA COOKIES

Esteworld does not place cookies on its website. During the use of our website and mobile application, IP address, browser information (Mac ID, IP address information, website login/logout and password information) are not collected.

VI. YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA

Under Article 11 of the Personal Data Protection Law, you can exercise your rights regarding the processing and protection of your personal data by applying to Esteworld as the Data Controller in the ways specified below, provided that you prove your identity.

A. YOUR RIGHTS REGARDING YOUR PERSONAL DATA

You have the right to:

1. Learn whether your personal data is processed.
2. Request information if your personal data has been processed.
3. Learn the purpose of processing your personal data and whether it is used in accordance with its purpose.
4. Know the third parties to whom your personal data is transferred, domestically or abroad.
5. Request correction of your personal data if it is incomplete or incorrectly processed.
6. Request the deletion or destruction of your personal data.
7. In case your personal data has been transferred to third parties, to request that the correction of incomplete or incorrectly processed personal data and the deletion or destruction of personal data be notified to the relevant third party.
8. Object to the emergence of a result against you by analyzing the processed data exclusively through automatic systems.
9. Demand compensation for damages in cases where you suffer damage due to the unlawful processing of personal data.

You can request Esteworld to destroy your data (delete, destroy, or anonymize) within the framework of the conditions stipulated in Article 7 of the Personal Data Protection Law. However, your destruction request will be evaluated by our company based on the specific circumstances of the concrete case to determine which method is appropriate. In this context, you can always request information from Esteworld regarding why we chose the destruction method we chose.

Personal data collected about individuals under 18 years of age is limited to their name, surname, age, and degree of kinship, and this data can only be provided to us by the relevant adult (parent or guardian).

CASES OUTSIDE THE SCOPE OF THE RIGHT TO APPLY

Under Article 28 of the Personal Data Protection Law, personal data owners will not be able to assert their application rights in the following cases, as they are excluded from the scope of the KVKK:

• Processing of personal data for purposes such as research, planning, and statistics by anonymizing them with official statistics.
• Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, or constitute a crime.
• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations assigned by law to ensure national defense, national security, public security, public order, or economic security.
• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, judgment, or execution proceedings.

Under Article 28, Paragraph 2 of the Personal Data Protection Law, it is not possible to assert rights in the following cases, except for the right to demand compensation for damages:

• If personal data processing is necessary to prevent the commission of a crime or for a criminal investigation.
• Processing of personal data that has been made public by the data subject themselves.
• If personal data processing is necessary for the performance of supervision or regulation duties by public institutions and organizations and professional organizations in the nature of public institutions, which are authorized by law, or for disciplinary investigation or prosecution.
• If personal data processing is necessary for the protection of the economic and financial interests of the State concerning budget, tax, and financial matters.

B. WAYS TO CONTACT OUR COMPANY TO EXERCISE YOUR RIGHTS

You can exercise your rights under the Personal Data Protection Law by:

1. Filling out the Personal Data Protection Application Form on our company’s website at “www.esteworldturkey.com”.
2. Coming to our company’s headquarters at Altunizade Mahallesi Kısıklı Caddesi No:7 Üsküdar İstanbul, filling out the Personal Data Protection Application Form obtained from the Human Resources Management department, and submitting it in person against signature.
3. Sending a letter via notary public.
4. Sending an email with a secure electronic or mobile signature to info@esteworld.com.tr.
5. Sending an email with a secure electronic or mobile signature to estetikworld@hs06.kep.tr.

Depending on the nature of your request and your application method, additional verifications (such as sending a message to your registered phone, calling you) may be requested by the Company to determine if the application belongs to you and thus protect your rights. For example, if you apply via your registered e-mail address, the Company may contact you using another registered communication method and ask for confirmation that the application belongs to you.

Your requests in your application will be concluded free of charge as a rule within a maximum of thirty business days, depending on the nature of the request. However, if the transaction requires an additional cost for the Company, a fee not exceeding a total of 50 (Fifty) TL may be requested, as stated in the Communiqué on the Procedures and Principles for Application to the Data Controller published in the Official Gazette dated 10.03.2018 and numbered 30356 by the Personal Data Protection Authority. If your application is caused by an error of our company, which is the Data Controller, the paid fee will be refunded to you.

Your duly submitted requests regarding the Protection of Personal Data will generally be concluded free of charge within a maximum of thirty business days from the date they reach our company.

In case of your application, “Esteworld” has the right to request some verifying information from you to confirm that you are the correct person. Unless you cancel your application, you will be deemed to have accepted these requests from Esteworld.

CONSENT AND APPROVAL

By reading this Information Text, you acknowledge, declare, and undertake that you have full and complete information about the fact that Estetik World Sağlık Hizmetleri A.Ş. carries out a data processing process within this scope, that you have been informed about the personal data processing processes, and that you consent to the processing of your personal data.

CONTACT INFORMATION

ESTETİK WORLD SAĞLIK HİZMETLERİ A.Ş. Mersis No: 380052104600010 Contact link: www.esteworldturkey.com E-Mail: estetikworld@esteworld.com.tr Address: Altunizade Mahallesi Kısıklı Caddesi No:7 Üsküdar İstanbul Phone: 0216 474 54 54 Update Date: 18.12.2019 19:33